Page 1 of 1

LFD does not start

Posted: 12 Sep 2019, 19:08
by nebulos
Hi

How to troubleshoot this problem when the lfd does not start after the installation?

# service lfd restart

Code: Select all

Job for lfd.service failed because the control process exited with error code.
See "systemctl status lfd.service" and "journalctl -xe" for details.
journalctl -xe

Code: Select all

-- 
-- The unit apt-daily.service has successfully entered the 'dead' state.
Sep 12 20:31:31 ts systemd[1]: Started Daily apt download activities.
-- Subject: A start job for unit apt-daily.service has finished successfully
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- A start job for unit apt-daily.service has finished successfully.
-- 
-- The job identifier is 1852.
Sep 12 20:39:01 ts CRON[9234]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 12 20:39:01 ts CRON[9235]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Sep 12 20:39:01 ts CRON[9234]: pam_unix(cron:session): session closed for user root
Sep 12 20:40:01 ts CRON[9248]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
Sep 12 20:40:01 ts CRON[9249]: (smmsp) CMD (test -x /etc/init.d/sendmail && test -x /usr/share/sendmail/sendmail && test -x /usr/lib/sm.bin/sendmail && /usr/share/sendmail/sendmail cron-msp)
Sep 12 20:40:01 ts CRON[9248]: pam_unix(cron:session): session closed for user smmsp
Sep 12 20:47:54 ts systemd[1]: Starting ConfigServer Firewall & Security - lfd...
-- Subject: A start job for unit lfd.service has begun execution
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- A start job for unit lfd.service has begun execution.
-- 
-- The job identifier is 1893.
Sep 12 20:47:54 ts lfd[9409]: csf and lfd have been disabled
Sep 12 20:47:54 ts systemd[1]: lfd.service: Control process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- An ExecStart= process belonging to unit lfd.service has exited.
-- 
-- The process' exit code is 'exited' and its exit status is 1.
Sep 12 20:47:54 ts systemd[1]: lfd.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- The unit lfd.service has entered the 'failed' state with result 'exit-code'.
Sep 12 20:47:54 ts systemd[1]: Failed to start ConfigServer Firewall & Security - lfd.
-- Subject: A start job for unit lfd.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- A start job for unit lfd.service has finished with a failure.
-- 
-- The job identifier is 1893 and the job result is failed.
Sep 12 20:54:03 ts systemd[1]: Starting ConfigServer Firewall & Security - lfd...
-- Subject: A start job for unit lfd.service has begun execution
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- A start job for unit lfd.service has begun execution.
-- 
-- The job identifier is 1934.
Sep 12 20:54:03 ts lfd[9521]: csf and lfd have been disabled
Sep 12 20:54:03 ts systemd[1]: lfd.service: Control process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- An ExecStart= process belonging to unit lfd.service has exited.
-- 
-- The process' exit code is 'exited' and its exit status is 1.
Sep 12 20:54:03 ts systemd[1]: lfd.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- The unit lfd.service has entered the 'failed' state with result 'exit-code'.
Sep 12 20:54:03 ts systemd[1]: Failed to start ConfigServer Firewall & Security - lfd.
-- Subject: A start job for unit lfd.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- A start job for unit lfd.service has finished with a failure.
-- 
-- The job identifier is 1934 and the job result is failed.

error log

Code: Select all

Sep 12 00:29:58 ts lfd[11273]: UI: *Error* cannot open server on port 5268: Failed to load certificate from file (no PEM, DER or PKCS12) error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error, at line 8894
Sep 12 00:30:03 ts lfd[10250]: Integrated UI Service died, restarted
Sep 12 00:30:03 ts lfd[11274]: UI: *Error* cannot open server on port 5268: Failed to load certificate from file (no PEM, DER or PKCS12) error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error, at line 8894
Sep 12 00:30:08 ts lfd[10250]: Integrated UI Service died, restarted
Sep 12 00:30:08 ts lfd[11276]: UI: *Error* cannot open server on port 5268: Failed to load certificate from file (no PEM, DER or PKCS12) error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error, at line 8894
Sep 12 00:30:13 ts lfd[10250]: Integrated UI Service died, restarted
Sep 12 00:30:13 ts lfd[11278]: UI: *Error* cannot open server on port 5268: Failed to load certificate from file (no PEM, DER or PKCS12) error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error, at line 8894
Sep 12 00:30:18 ts lfd[10250]: Main Process: TERM
Sep 12 00:30:18 ts lfd[10250]: daemon stopped

I tried to disable the UI, but no help. still doesn't start.

Is there a way to make lfd to log more info in case of errors?
Where to look next?

Re: LFD does not start

Posted: 15 Sep 2019, 14:36
by Ricky
In /etc/csf/csf.conf try to set TESTING = "0" and then try csf -r

Re: LFD does not start

Posted: 15 Sep 2019, 20:31
by BallyBasic79
nebulos, I have no previous experience with this error, however I offer a few items that may assist you.
Sep 12 00:29:58 ts lfd[11273]: UI: *Error* cannot open server on port 5268: Failed to load certificate from file (no PEM, DER or PKCS12) error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error, at line 8894
Looking at sub ui in lfd.pl, this error is triggered when lfd is not able to instantiate an SSL socket with the csf-provided certificates:

Code: Select all

	SSL_key_file => '/etc/csf/ui/server.key',
	SSL_cert_file => '/etc/csf/ui/server.crt',
A quick search on those error messages seem to indicate issues with an invalid certificate format.
I don't much about your server environment and haven't dealt with this before, but I would check the following:
  • Run the csftest script (although it looks like it test the iptables not the server environment.)
  • Confirm proper files permissions for the SSL files above (root 600)
  • Web server SSL settings.
  • Maybe try reinstalling CSF from a fresh source.
Hope something here helps.